How can we help you today?

What is 'Signed URL' in Embed Settings?

Modified on: Mon, 23 May, 2016 at 6:33 AM

Signed URL is an added security feature, along with our Domain Restriction feature, to prevent your videos from being misused. While our Domain Restriction feature verifies the referrer information sent by the web browser, signed embed code is based upon verifying a signature appended to your embed code that is
generated using a secret signing key. An expiration time can be set for your signed embed code, this way the embed code is valid
for a limited time only and cannot be reused.

Where to use the signed
embed code?

Used on sites that generate dynamic HTML content, programming expertise is required to generate the signed embed codes.

The signature parameter is dynamically
generated by your application using your secret signing key, and the Private Media Channel will
not serve the video unless the signature is valid and has not expired.

Enabling Signed Embed Codes

To enable signed embed codes, click on My Site > General Settings > Embed Settings > Enable Signed URL. Switch on the 'Enable Signed URL' button.

Generating Signed Embed Code URLs

The URL-signing protocol we use is very similar to
the OAUTH1 signing protocol using a Base64-encoded hash generated using the
HMAC-SHA256 algorithm.

First we create the base string, which will be used to generate the hash. The base string is composed of the following
elements:

Request method :
The request method will always be POST

Host name :
The host name will be your channel URL. For example, channel.nichevid.com

Request path :
The request path is part of the URL after the host up to the first ?

If the URL we are signing is http://channel.nichevid.com/player/gJ9XX98Z?autoplay=1, then the request path is /player/gJ9XX98Z

Sorted query parameters : First, to the
list of parameters we add the expiration parameter. Choose a time, a few minutes or so in the
future (the time on your system should be synced using NTP or a
similar protocol, which makes your system think that it is the same time as the Private Media Channel's
system). The time you choose should be in UTC. The value should be
represented as an Epoch, an integer number of seconds. For example, the
time of May 14 2016, 10:00:00 AM (UTC) would be represented as 1463220000. These values need to be encoded into a single string which
will be used later on.

The process to build the string is very specific:

1.Percent encode
every key and value that will be signed.

2.Sort the list
of parameters alphabetically by encoded key.

3.For each
key/value pair:

Append the
'&' character.

Append the
encoded key to the output string.

Append the '='
character to the output string.

Append the
encoded value to the output string.

The following string is generated, by repeating these steps, using the same URL as above:

&autoplay=1&expires=1463220000

Now that we have all of our components, it needs to be combined into a single string in the following format:

Request method

Host name

Request path

Sorted query
parameters

The string will then look like this, with our example URL from above:

POST

channel.nichevid.com

/player/gJ9XX98Z

&autoplay=1&expires=1463220000

Now that we have our string, it's time to sign
it.

Calculating the
signature

Now generate your
API key to sign the string. Read here on how to generate your API key. Now the signature is calculated by
passing the signature base string and signing key to the HMAC-SHA1 hashing
algorithm. Algorithm details are explained here, but thankfully there are implementations of
HMAC-SHA1 available for every popular language. For example, Ruby has the Open SSL library and PHP has the hash_hmacfunction.

For example, the
output for the example string and signing key of 140e8b4a-0732-4e26-b618-6faf4cc4d536 is "\372\210@wo\356[\335\263\037\222h\230Fo\300\323,|\375". That value, when converted to base64, is the
signature for this request: JOdDFg12Ntw1QfBqwYU4o2QKfkJ+taBiabsI/Tb9VFk=

Building the final
request URL

First, take the
original url: http://channel.nichevid.com/player/gJ9XX98Z?
autoplay=1. Next add the expires
parameter to the end like this: http://channel.nichevid.com/player/gJ9XX98Z?autoplay=1&expires=1463220000

Finally URI encode the
signature parameter and add that to the end of the URL like this: